b'          Office of Inspector General\n           for the Millennium Challenge Corporation\n\n\n                                                                                    June 1, 2011\n\n\nMs. Victoria B. Wassmer\nVice President of Department of Administration and Finance\nMillennium Challenge Corporation\n875 Fifteenth Street, N.W.\nWashington, DC 20005\n\nDear Ms. Wassmer:\n\nThis letter transmits the Office of Inspector General\xe2\x80\x99s final report on the Survey of the\nMillennium Challenge Corporation\xe2\x80\x99s Implementation of Selected Controls Over Personal Digital\nAssistants (M-000-11-007-S). In finalizing this report, we considered your written comments on\nour draft report and included those comments in their entirety in Appendix II of this report.\n\nAlthough this is not an audit report, it contains four recommendations to strengthen the\nMillennium Challenge Corporation\xe2\x80\x99s controls over its personal digital assistants. We agree with\nMCC\xe2\x80\x99s management decisions for Recommendations 1, 2, 3, and 4.\n\nI appreciate the cooperation and courtesy extended to my staff during this audit.\n\n                                                      Sincerely,\n\n                                                       /s/\n\n                                                      Alvin A. Brown\n                                                      Assistant Inspector General\n                                                      Millennium Challenge Corporation\n\n\ncc:       Mark Sandy, Managing Director, Administration and Finance\n          Dennis Laurer, Chief Information Officer\n          Arlene McDonald, Compliance Officer\n\n\n\n\nMillennium Challenge Corporation\n1401 H Street, NW\nSuite 770\nWashington, DC 20005\nwww.usaid.govoig\n\x0cSUMMARY\nA personal digital assistant (PDA) is a mobile device that may be used for voice calls,\ntext messages, data storage, accessing the Internet, sending/receiving e-mail, and\nperforming other tasks such as calculations. Nonetheless, PDAs have a variety of risks,\nincluding improper personal use and unauthorized access.\n\nThe Millennium Challenge Corporation (MCC) has an average of 315 PDA users, and\nbudgeted $480,000 in fiscal year 2011 for PDA services. This survey was initiated to\ndetermine whether MCC implemented selected controls to reduce the risks to its PDAs.\nFor this survey, selected controls were (1) approval for staff to receive PDAs, (2) reviews\nof PDA charges, (3) collections for unauthorized use of PDAs, and (4) selected security\ncontrols.\n\nThis survey found that MCC implemented the following controls over its PDAs:\n\n   \xe2\x80\xa2   Collected money from its PDA users for unauthorized charges reported to the\n       Chief Information Officer.\n   \xe2\x80\xa2   Adopted the Department of Defense checklist as the baseline for securing its\n       BlackBerrys.\n   \xe2\x80\xa2   Documented its BlackBerry configuration security policy.\n   \xe2\x80\xa2   Prepared a Policy on Personal Digital Assistants (November 26, 2008) to inform\n       employees about the laws, regulations, and policies governing the issuance and\n       use of MCC-owned PDAs.\n   \xe2\x80\xa2   Configured the server for the PDAs to perform the following functions:\n       - Encrypt the disks\n       - Require an 8-character alphanumeric password\n       - Lock after 15 minutes of inactivity and require that the user reenter the PDA\xe2\x80\x99s\n           password to unlock the device\n       - Block the installation of third-party software\n       - Prevent users from disabling the password requirement\n       - Prevent outgoing calls when the device is locked\n\nNonetheless, MCC did not (1) prepare procedures for reviewing PDA bills (pages 3\xe2\x80\x934),\n(2) consistently document PDA approvals for staff at the level of program officer and\nabove and for full-time personal service contractors (PSCs) (page 4), or (3) consistently\nprepare justifications for issuance of PDAs (pages 5\xe2\x80\x936). To correct these control\nweaknesses, this report recommends that MCC:\n\n   1. Develop procedures to review PDA bills (page 4)\n   2. Document and implement procedures for program officers and above and full-\n      time personal service contractors to receive PDAs (page 5)\n   3. Revise MCC\xe2\x80\x99s PDA policy to reflect the current management position regarding the\n      issuance of PDAs to staff who are program officers and above and full-time PSCs\n      (page 5)\n   4. Prepare and implement documented procedures to define what information is\n      required to justify the need for staff below the program officer level, contractors,\n      and intermittent PSCs to receive a PDA (page 6)\n\n\n\n                                                                                         1\n\x0cDetailed results of this survey appear in the following section. Appendix I contains the\nscope and methodology. MCC provided comments on the draft report, which are\nincluded in their entirety in Appendix II. OIG agrees with MCC\xe2\x80\x99s management decisions\non all four recommendations (page 7).\n\n\n\n\n                                                                                      2\n\x0cSURVEY FINDINGS\nProcedures Not Prepared for Reviews\nof Personal Digital Assistant Bills\nMCC\xe2\x80\x99s Policy on Personal Digital Assistants (November 26, 2008), section 5.2, states:\n\n       MCC employees will reimburse MCC for all personal calls that result in an\n       increased cost to MCC. Department vice presidents will ensure that monthly\n       PDA bills are reviewed and must report any unauthorized PDA use to the CIO\n       [Chief Information Officer] by the 20th of every month.\n\nIn addition, the U.S. Government Accountability Office\xe2\x80\x99s 1 Standards for Internal Control\nin the Federal Government (November 1999) states that "[i]nternal control and all\ntransactions and other significant events need to be clearly documented, and the\ndocumentation should be readily available for examination."               Further, "[a]ll\ndocumentation and records should be properly managed and maintained.\xe2\x80\x9d\n\nHowever, MCC did not maintain documentation of its reviews of PDA bills. MCC officials\nacknowledged that MCC does not have procedures for implementing its PDA policy.\nSpecifically, MCC does not have procedures that explain to MCC staff what\ndocumentation must be maintained for reviews of PDA bills or that require staff to certify\nthat the bills were reviewed. In addition, MCC does not have procedures describing how\nMCC staff should conduct their reviews, including which items to focus on (e.g., roaming\ncharges, excessive airtime minutes). Finally, although one department established a $200\nthreshold, MCC did not establish corporation-wide thresholds for when to conduct a\ndetailed review of an individual\xe2\x80\x99s charges.\n\nAs a result, MCC did not have assurance that it was reimbursed for unauthorized staff\ncalls. For example, Table 1 shows that from August through December 2010 there were\n342 2 instances (totaling more than $124,000) 3 in which individual PDA users\xe2\x80\x99 charges\nexceeded $100.\n\n               Table 1. Total Individuals\xe2\x80\x99 Monthly Charges Over $100\n                             (August\xe2\x80\x93December 2010) 4\n                     Range of Monthly Charges No.         Amount\n                           $101\xe2\x80\x93$200                148    $20,985\n                           $201\xe2\x80\x93$299                 60    $15,288\n                           $300\xe2\x80\x93$500                 55    $20,529\n                           Over $500                 79    $67,605\n                           Total                    342   $124,407\n\nIn addition, the individual responsible for administratively approving the PDA bill for\npayment had no assurance that the amounts approved for payment were correct, as\n\n1\n  Formerly called the General Accounting Office.\n2\n  Unaudited.\n3\n  Unaudited.\n4\n  Unaudited; Source: OIG analysis of MCC\xe2\x80\x99 data on PDA charges.\n\n\n                                                                                        3\n\x0crequired by the delegation of authority from the cognizant contracting officer. For the\nfirst 11 months of fiscal year 2010, approved payments amounted to more than\n$425,000. 5 Finally, it is imperative that MCC implement controls over areas such as\nthis, which the public can perceive as Government abuse. Therefore, OIG makes the\nfollowing recommendation.\n\n      Recommendation 1.            We recommend that the Millennium Challenge\n      Corporation\xe2\x80\x99s Chief Information Officer develop procedures for reviews of its\n      personal digital assistants bills, including\xe2\x80\x94\n\n      \xe2\x80\xa2   Requirements to maintain documentation that bills were reviewed, including\n          certifications from those responsible for reviewing the bills.\n      \xe2\x80\xa2   A description of how the reviews should be conducted, including what items\n          to focus on and organization-wide thresholds for when to conduct detailed\n          reviews of an individual\xe2\x80\x99s charges.\n\nRequired Approvals Not Consistently\nDocumented for Issuance of PDAs\nAccording to MCC\xe2\x80\x99s Policy on Personal Digital Assistants, section 5.1:\n\n          Employees at the level of program officers and above and full-time personal\n          services contractors (PSC) may receive a PDA. However, the employee\xe2\x80\x99s\n          supervising managing director should make an individualized decision as to\n          whether or not an employee should be issued a PDA.\n\nMCC did not consistently document PDA approvals for staff at the level of program\nofficer and above and full-time PSCs. Specifically, MCC staff who already had a\nBlackBerry before BlackBerrys were replaced or upgraded from December 2008 through\nMarch 2009 were given a new one without receiving approval from their supervisor. In\naddition, after the refresh, those who were directors or above received a PDA upon\nrequest, whereas an e-mail approval was required only for those below the director level.\n\nThis weakness occurred primarily because MCC did not document and implement\nprocedures describing the documentation of approvals required for employees at the\nlevel of program officers and above and full-time PSCs. Moreover, although MCC policy\nrequires those individuals to have supervisory approvals, MCC management\xe2\x80\x99s views\nmay have changed concerning who should receive a PDA. Specifically, although a\ndefinitive position has not been reached, MCC management seems to believe that all\nprogram officers and above and full-time PSCs need to be issued a PDA as part of the\nstandard equipment, such as computers and telephones. Thus, MCC\xe2\x80\x99s PDA policy may\nbe outdated.\n\nBecause MCC staff have not received approvals, MCC has no assurance that staff who\nhave PDAs need them to conduct MCC business. Therefore, OIG makes the following\nrecommendations.\n\n\n\n5\n    Unaudited.\n\n\n                                                                                       4\n\x0c   Recommendation 2.           We recommend that the Millennium Challenge\n   Corporation\xe2\x80\x99s Chief Information Officer document and implement procedures\n   (a) describing the required documentation that supervisors must submit for\n   program officers and above and full-time personal service contractors to receive\n   personal digital assistants and (b) requiring supervisors to periodically recertify\n   (in a predefined timeframe) staffs\xe2\x80\x99 continued need for personal digital assistants.\n\n   Recommendation 3.           We recommend that the Millennium Challenge\n   Corporation\xe2\x80\x99s Chief Information Officer review and revise the Millennium\n   Challenge Corporation\xe2\x80\x99s Policy on Personal Digital Assistants to reflect the\n   Corporation\xe2\x80\x99s current management position regarding the issuance of personal\n   digital assistants to staff who are program officers and above and full-time\n   personal service contractors.\n\n\nRequired Justifications\nNot Consistently Prepared for\nIssuance of PDAs\nAccording to MCC\xe2\x80\x99s Policy on Personal Digital Assistants, section 5.1, employees at the\nlevel of program officers and above and full-time PSCs may receive a PDA. However,\nthe policy further states that\xe2\x80\x94\n\n   \xe2\x80\xa2   Other MCC employees may receive PDAs if the employee\xe2\x80\x99s departmental vice\n       president submits a written justification to the CIO.\n   \xe2\x80\xa2   On-site independent contractors may be issued PDAs if their contracting officer\xe2\x80\x99s\n       technical representative submits a written justification through their department\xe2\x80\x99s\n       vice president. The vice president will endorse the request and the CIO will review\n       the request.\n   \xe2\x80\xa2   Intermittent PSCs require a waiver from the department vice president to receive\n       a PDA.\n\nAll 10 BlackBerry users sampled had written waivers on file provided through their\ndepartment vice presidents to the CIO. However, five of the waivers did not include a\njustification for providing those individuals with a PDA. Instead, those five waivers only\ncited sections from MCC PDA policy regarding the use of BlackBerrys and which\nemployees could receive waivers. Further, two of the five waivers included handwritten\nnames that had been added after the waivers were digitally signed. Thus, for the two it\nwas not clear whether and when those users had gone through the required waiver\nprocess.\n\nThis problem occurred because MCC did not have procedures to define the information\nrequired to justify the need for a PDA. As a result, MCC did not have assurance that\nstaff below the program officer level, contractors, and intermittent PSCs who have been\nissued PDAs need them to conduct official MCC business.\n\nSince the time those justifications were prepared, MCC has developed an automated\nform that must be used to prepare waivers. The form allows only one name to be\n\n\n\n\n                                                                                         5\n\x0centered, and the justification field cannot be blank. Nonetheless, as MCC officials\nacknowledged, MCC should periodically recertify whether all users continue to need a\nPDA. Therefore, OIG makes the following recommendation.\n\n   Recommendation 4.           We recommend that the Millennium Challenge\n   Corporation\xe2\x80\x99s Chief Information Officer prepare and implement documented\n   procedures to (a) define what information is required to justify the need for a\n   personal digital assistant for staff below the program officer level, contractors,\n   and intermittent personal service contractors and (b) require supervisors to\n   periodically recertify (in a predefined timeframe) staffs\xe2\x80\x99 continued need for\n   personal digital assistants.\n\n\n\n\n                                                                                        6\n\x0cEvaluation of Management\nComments\nThe Millennium Challenge Corporation provided written comments to the draft report that\nare included in their entirety in Appendix II. MCC agreed to take corrective action on all\nfour recommendations in the draft report.\n\nFor Recommendation 1, MCC agreed to develop a procedure for the monthly review of\nPDA bills by April 1, 2012. OIG agrees with MCC\xe2\x80\x99s management decision.\n\nFor Recommendation 2, MCC agreed to develop guidelines consistent with MCC\xe2\x80\x99s PDA\npolicy to outline the requirements for staff to receive PDAs. In addition, MCC agreed to\nprepare procedures requiring a documented business case for all staff who require\nPDAs and a semiannual recertification to document the continued need for PDAs. MCC\nwill complete the guidelines and procedures by April 1, 2012. OIG agrees with MCC\xe2\x80\x99s\nmanagement decision.\n\nFor Recommendation 3, MCC agreed to develop an information technology project risk\nmanagement policy by April 8, 2011. OIG agrees with MCC\xe2\x80\x99s management decision.\n\nFor Recommendation 4, MCC agreed to update the Contracts Operating Manual to\ninclude procedures for incorporating risk management and earned value management in\ncontracting actions, when required. MCC plans to take final corrective action by\nMarch 31, 2011. OIG agrees with MCC\xe2\x80\x99s management decision.\n\n\n\n\n                                                                                        7\n\x0c                                                                                   Appendix I\n\n\n\n\nScope and Methodology\nScope\nOIG conducted this survey of the MCC\xe2\x80\x99s implementation of selected controls for its\nPDAs in accordance with Government Auditing Standards, except that OIG did not\xe2\x80\x94\n\n\xe2\x80\xa2     Research and identify legal and regulatory requirements related to this survey\n      objective.\n\xe2\x80\xa2     Assess audit risk.\n\xe2\x80\xa2     Perform a risk assessment via a team discussion to determine the likelihood that\n      noncompliance resulting from illegal acts and fraud could have a significant impact\n      on this survey objective. 6\n\xe2\x80\xa2     Identify current OIG/Investigations cases or information related to the subject.\n\xe2\x80\xa2     Coordinate with other auditors.\n\xe2\x80\xa2     Perform specific tests for illegal acts, fraud, and abuse.\n\nThis survey was performed in Washington, DC, from February 3 through March 23,\n2011. To answer our survey objective, we interviewed MCC officials and contractors\nresponsible for PDAs. In addition, we reviewed contracting actions, MCC policies,\nwaivers given to PDA users, and MCC\xe2\x80\x99s report on reimbursements for unauthorized\nPDA charges. We also analyzed PDA charges from August through December 2010\nand user roles on the BlackBerry Enterprise Server. For this survey, we focused on the\nfollowing selected controls: (1) approval for employees to receive PDAs, (2) reviews of\nPDA charges, (3) collections for unauthorized use, and (4) selected security controls.\n\nMethodology\nTo answer the survey objective, using MCC\xe2\x80\x99s Policy on Personal Digital Assistants\n(November 26, 2008), OIG (1) reviewed approvals for MCC staff to receive PDAs,\n(2) assessed MCC\xe2\x80\x99s reviews of PDA charges, and (3) assessed collections for\nunauthorized use. OIG also evaluated selected security controls over PDAs based on\nMCC\xe2\x80\x99s Information Systems Security Policy (May 4, 2010). Specifically, OIG determined\nwhether\xe2\x80\x94\n\n\xe2\x80\xa2     A judgmental sample of MCC employees at or above the program officer level and\n      full-time personal services contractors received approval from their respective\n      supervisor managing director to receive PDAs. Specifically, we used a random\n      number generator to select 10 (4 percent) of the 249 PDA users in this category, as\n      shown in MCC\xe2\x80\x99s PDA inventory. We selected a relatively small percentage of the\n      population because, in our opinion, those individuals are more likely need PDAs for\n      business.\n\n\xe2\x80\xa2     Departmental vice presidents submitted a written justification to the Chief Information\n      Officer for a judgmental sample of MCC employees below the program officer level,\n      part-time personal services contractors, and on-site independent contractors to be\n\n6\n    No instances of illegal acts were identified during this survey.\n\n\n                                                                                           8\n\x0c                                                                            Appendix I\n\n\n    issued PDAs. We used a random number generator to select 10 (15 percent) of the\n    65 PDA users in this category, as shown in MCC\xe2\x80\x99s PDA inventory. We selected a\n    relatively large percentage of the population because, in our opinion, those\n    individuals are less likely to need PDAs for business.\n\n\xe2\x80\xa2   Departmental vice presidents ensured that monthly PDA bills were reviewed and that\n    unauthorized PDA use was reported the Chief Information Officer by the 20th of the\n    month.\n\n\xe2\x80\xa2   MCC collected costs associated with unauthorized use of PDAs.\n\n\xe2\x80\xa2   MCC configured its PDAs in accordance with selected security requirements.\n\n\n\n\n                                                                                    9\n\x0c                                                                             Appendix II\n\n\n\nManagement Comments\n\n\n\n\nMay 10, 2011\n\nMEMORANDUM TO:               Alvin A. Brown\n                             Assistant Inspector General for the Millennium\n                             Challenge Corporation\n\nFROM:                        Dennis Lauer /s/\n                             Chief Information Officer (CIO)\n                             Millennium Challenge Corporation (MCC)\n\nSUBJECT:                     MCC Comments on the Survey of the Millennium\n                             Challenge Corporation\xe2\x80\x99s Implementation of Selected\n                             Controls Over Personal Digital Assistants (M-000-11-\n                             00X-S).\n\nThe Millennium Challenge Corporation (MCC) appreciates the opportunity to comment\non the survey of the MCC\xe2\x80\x99s Implementation of Selected Controls over Personal Digital\nAssistants (PDAs). This memorandum serves as Management Decision for the four\nrecommendations resulting from this survey.\n\nMCC concurs with the four PDA survey recommendations and the two supplemental\nPDA survey recommendations. Considering that MCC has only operated for seven years,\nthere has already been significant progress in establishing controls and governance over\nthe PDA program, including:\n\n   1. MCC developed a Personal Data Assistant (PDA) Policy;\n\n   2. MCC has a monthly bill/usage review process;\n\n   3. Unlike many USG agencies, MCC has implemented Federal Desktop Core\n      Configuration (FDCC) compliant security controls on all mobile devices;\n\n\n\n\n                                                                                     10\n\x0c                                                                                Appendix II\n\n   4. MCC has initiated a review of the PDA policy to account for the\n      recommendations in this survey; and\n\n   5. Between 2008 - 2011, MCC reduced the annual cost of PDAs by 25% and has set\n      a goal to reduce the cost of PDAs by another 25% in the next year.\n\nMCC\xe2\x80\x99s Management Response to your recommendations follows:\n\nRecommendation No. 1: We recommend that the Millennium Challenge Corporation\'s\nChief Information Officer develop procedures for reviews of its personal digital assistants\nbills, including:\n\n   \xe2\x80\xa2   Requirements to maintain documentation that bills were reviewed, including\n       certifications from those responsible for reviewing the bills.\n\n   \xe2\x80\xa2   A description of how the reviews should be conducted, including what items to\n       focus on and organization-wide thresholds for when to conduct detailed reviews\n       of an individual\'s charges.\n\nManagement Response: MCC will develop a procedure for the monthly review of PDA\nbills by April 1, 2012.\n\nRecommendation No. 2: We recommend that the Millennium Challenge Corporation\'s\nChief Information Officer document and implement procedures (a) describing the\nrequired documentation that supervisors must submit for program officers and above and\nfull-time personal service contractors to receive personal digital assistants and (b)\nrequiring supervisors to periodically recertify (in a predefined time frame) staffs\xe2\x80\x99\ncontinued need for personal digital assistants.\n\nManagement Response: MCC will develop guidelines consistent with the PDA policy\noutlining the requirements for staff to receive PDAs and a procedure requiring a\ndocumented business case for all staff that require PDAs. The procedure will require a\nsemi-annual recertification process documenting the continued need for personal digital\nassistants. MCC will complete the guidelines and procedures associated with this\nrecommendation by April 1, 2012.\n\nRecommendation No. 3: We recommend that the Millennium Challenge Corporation\'s\nChief Information Officer review and revise the Millennium Challenge Corporation\'s\nPolicy on Personal Digital Assistants to reflect the Corporations current management\nposition regarding the issuance of personal digital assistants to staff who are program\nofficers and above and full-time personal service contractors.\n\nManagement Response: MCC will review and revise the MCC\xe2\x80\x99s Policy on Personal\nDigital Assistants to reflect the agency\xe2\x80\x99s current management position regarding the\nissuance of PDAs to staff who are program officers and above and full-time personal\nservice contractors by December 30, 2011.\n\n\n\n                                                                                          11\n\x0c                                                                                Appendix II\n\n\nRecommendation No. 4: We recommend that the Millennium Challenge Corporation\'s\nChief Information Officer prepare and implement documented procedures to (a) define\nwhat information is required to justify the need for a personal digital assistant for staff\nbelow the program officer level, contractors, and intermittent personal service contractors\nand (b) require supervisors to periodically recertify (in a predefined time frame) staffs\xe2\x80\x99\ncontinued need for personal digital assistants.\n\nManagement Response: MCC will develop guidelines consistent with the PDA policy\noutlining the requirements for staff to receive and to continually possess PDAs by\nApril 1, 2012.\n\n\n\nAttachments:\n\nIG/MCC, Lisa Banks\nIG/MCC, Aleta Johnson\nMCC/AF/FMD, Arlene McDonald\nMCC/AF/FO, Mark Sandy\n\n\n\n\n                                                                                        12\n\x0c'